CVE-2026-34459: CWE-121: Stack-based Buffer Overflow in sandboxie-plus Sandboxie
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, the SbieSvc proxy service's GetRawInputDeviceInfoSlave handler contains two vulnerabilities that can be chained for sandbox escape. First, when a sandboxed process sends an IPC request with cbSize set to 0, up to 32KB of uninitialized stack memory from the service process is returned, leaking return addresses and stack cookies which bypass ASLR and /GS protections. Second, the handler performs a memcpy with an attacker-controlled length without verifying it fits within the 32KB stack buffer, enabling a stack buffer overflow. By chaining the information leak with the overflow, a sandboxed process can execute a ROP chain to achieve SYSTEM privilege escalation, even from a Security Hardened Sandbox. Hardware-enforced shadow stacks (Intel CET) prevent the ROP chain execution but do not mitigate the information leak. This issue has been fixed in version 1.17.3.
AI Analysis
Technical Summary
Sandboxie-Plus, an open source sandbox isolation software for Windows, has a stack-based buffer overflow vulnerability (CWE-121) in versions prior to 1.17.3. The vulnerability exists in the SbieSvc proxy service's GetRawInputDeviceInfoSlave handler, where an IPC request with cbSize set to 0 leaks up to 32KB of uninitialized stack memory, revealing return addresses and stack cookies that bypass ASLR and /GS protections. Additionally, a memcpy operation uses an attacker-controlled length without bounds checking, causing a stack buffer overflow. By chaining these two issues, a sandboxed process can execute a ROP chain to escalate privileges to SYSTEM, even from a Security Hardened Sandbox. Intel CET hardware shadow stacks prevent the ROP execution but do not mitigate the initial information leak. The vulnerability is addressed in Sandboxie-Plus version 1.17.3.
Potential Impact
Successful exploitation allows a sandboxed process to escape the sandbox and escalate privileges to SYSTEM level on the affected Windows system. This can compromise system integrity and security by bypassing sandbox isolation and executing arbitrary code with high privileges. The information leak facilitates bypassing memory protection mechanisms, increasing the exploitability of the buffer overflow.
Mitigation Recommendations
Upgrade Sandboxie-Plus to version 1.17.3 or later, where this vulnerability has been fixed. No other official remediation or temporary fixes are indicated. Systems running affected versions remain vulnerable until updated.
CVE-2026-34459: CWE-121: Stack-based Buffer Overflow in sandboxie-plus Sandboxie
Description
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, the SbieSvc proxy service's GetRawInputDeviceInfoSlave handler contains two vulnerabilities that can be chained for sandbox escape. First, when a sandboxed process sends an IPC request with cbSize set to 0, up to 32KB of uninitialized stack memory from the service process is returned, leaking return addresses and stack cookies which bypass ASLR and /GS protections. Second, the handler performs a memcpy with an attacker-controlled length without verifying it fits within the 32KB stack buffer, enabling a stack buffer overflow. By chaining the information leak with the overflow, a sandboxed process can execute a ROP chain to achieve SYSTEM privilege escalation, even from a Security Hardened Sandbox. Hardware-enforced shadow stacks (Intel CET) prevent the ROP chain execution but do not mitigate the information leak. This issue has been fixed in version 1.17.3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Sandboxie-Plus, an open source sandbox isolation software for Windows, has a stack-based buffer overflow vulnerability (CWE-121) in versions prior to 1.17.3. The vulnerability exists in the SbieSvc proxy service's GetRawInputDeviceInfoSlave handler, where an IPC request with cbSize set to 0 leaks up to 32KB of uninitialized stack memory, revealing return addresses and stack cookies that bypass ASLR and /GS protections. Additionally, a memcpy operation uses an attacker-controlled length without bounds checking, causing a stack buffer overflow. By chaining these two issues, a sandboxed process can execute a ROP chain to escalate privileges to SYSTEM, even from a Security Hardened Sandbox. Intel CET hardware shadow stacks prevent the ROP execution but do not mitigate the initial information leak. The vulnerability is addressed in Sandboxie-Plus version 1.17.3.
Potential Impact
Successful exploitation allows a sandboxed process to escape the sandbox and escalate privileges to SYSTEM level on the affected Windows system. This can compromise system integrity and security by bypassing sandbox isolation and executing arbitrary code with high privileges. The information leak facilitates bypassing memory protection mechanisms, increasing the exploitability of the buffer overflow.
Mitigation Recommendations
Upgrade Sandboxie-Plus to version 1.17.3 or later, where this vulnerability has been fixed. No other official remediation or temporary fixes are indicated. Systems running affected versions remain vulnerable until updated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-27T18:18:14.896Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fa4dc2cbff5d86102152a0
Added to database: 5/5/2026, 8:06:26 PM
Last enriched: 5/5/2026, 8:21:40 PM
Last updated: 5/6/2026, 3:53:46 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.